Closed
Bug 18285
Opened 26 years ago
Closed 25 years ago
Warning "aFrame is already associated with a region" (was crash on infoworld)
Categories
(Core :: CSS Parsing and Computation, defect, P4)
Core
CSS Parsing and Computation
Tracking
()
VERIFIED
FIXED
M16
People
(Reporter: dejong, Assigned: buster)
References
()
Details
(Keywords: crash)
Attachments
(1 file)
|
21.92 KB,
text/html
|
Details |
I was surfing on http://www.infoworld.com and it seemed to get stuck so
I pressed the stop button. After doing that I got this SIGSEV. I was
using a CVS build from Nov 6th on a RedHat 5.2 Linux system.
Here is the code inside layout/html/style/src/nsCSSFrameConstructor.cpp line
6548.
6543 // Get view if this frame has one and trigger an update. If the
6544 // frame doesn't have a view, find the nearest containing view
6545 // (adjusting r's coordinate system to reflect the nesting) and
6546 // update there.
6547 nsIView* view = nsnull;
6548 aFrame->GetView(&aPresContext, &view);
6549 nsIView* parentView;
6550 if (! view) { // XXX can view have children outside it?
6551 aFrame->GetOffsetFromView(&aPresContext, viewOffset, &parentView);
6552 NS_ASSERTION(nsnull != parentView, "no view");
It looks like the aFrame pointer is OK but that something does wrong inside the
GetView call.
(gdb) print aFrame
$1 = (nsIFrame *) 0x873f2b0
(gdb) call aFrame->GetView(&aPresContext, &view)
Cannot access memory at address 0x2e74643d.
Here is the stack trace I got.
#0 0x40ea66a9 in ApplyRenderingChangeToTree (aPresContext=@0x846d638,
aFrame=0x873f2b0,
aViewManager=0x0) at
../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:6548
#1 0x40ea6df7 in nsCSSFrameConstructor::ProcessRestyledFrames (this=0x8584ae0,
aChangeList=@0xbfffe864, aPresContext=0x846d638)
at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:6707
#2 0x40ea74c9 in nsCSSFrameConstructor::ContentStatesChanged (this=0x8584ae0,
aPresContext=0x846d638, aContent1=0x8543854, aContent2=0x8866784)
at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:6826
#3 0x40f969ed in StyleSetImpl::ContentStatesChanged (this=0x8584a90,
aPresContext=0x846d638,
aContent1=0x8543854, aContent2=0x8866784) at
../../../../layout/base/src/nsStyleSet.cpp:983
#4 0x40d8a177 in PresShell::ContentStatesChanged (this=0x86fe3a8,
aDocument=0x8754d00,
aContent1=0x8543854, aContent2=0x8866784)
at ../../../../../layout/html/base/src/nsPresShell.cpp:1849
#5 0x40f598ef in nsDocument::ContentStatesChanged (this=0x8754d00,
aContent1=0x8543854,
aContent2=0x8866784) at ../../../../layout/base/src/nsDocument.cpp:1491
#6 0x40d41fb6 in nsEventStateManager::SetContentState (this=0x8780b78,
aContent=0x8543854,
aState=3) at ../../../../layout/events/src/nsEventStateManager.cpp:1515
#7 0x40dabd33 in nsHTMLAnchorElement::HandleDOMEvent (this=0x8543848,
aPresContext=@0x846d638,
aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
at ../../../../../layout/html/content/src/nsHTMLAnchorElement.cpp:356
#8 0x40f6d350 in nsGenericElement::HandleDOMEvent (this=0x8359694,
aPresContext=@0x846d638,
aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
at ../../../../layout/base/src/nsGenericElement.cpp:777
#9 0x40e160ed in nsHTMLTableElement::HandleDOMEvent (this=0x8359680,
aPresContext=@0x846d638,
aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
at ../../../../../layout/html/content/src/nsHTMLTableElement.cpp:1302
#10 0x40f6d350 in nsGenericElement::HandleDOMEvent (this=0x879852c,
aPresContext=@0x846d638,
aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
at ../../../../layout/base/src/nsGenericElement.cpp:777
#11 0x40e24d45 in nsHTMLTableSectionElement::HandleDOMEvent (this=0x8798518,
aPresContext=@0x846d638, aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4,
aEventStatus=@0xbffff084)
at ../../../../../layout/html/content/src/nsHTMLTableSectionElement.cpp:373
#12 0x40f6d350 in nsGenericElement::HandleDOMEvent (this=0x8725edc,
aPresContext=@0x846d638,
aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
at ../../../../layout/base/src/nsGenericElement.cpp:777
#13 0x40e228e9 in nsHTMLTableRowElement::HandleDOMEvent (this=0x8725ec8,
aPresContext=@0x846d638,
aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=4, aEventStatus=@0xbffff084)
at ../../../../../layout/html/content/src/nsHTMLTableRowElement.cpp:738
#14 0x40f6d350 in nsGenericElement::HandleDOMEvent (this=0x87d8bb0,
aPresContext=@0x846d638,
aEvent=0xbffff188, aDOMEvent=0xbfffed94, aFlags=1, aEventStatus=@0xbffff084)
at ../../../../layout/base/src/nsGenericElement.cpp:777
#15 0x40e1b01d in nsHTMLTableCellElement::HandleDOMEvent (this=0x87d8b98,
aPresContext=@0x846d638,
aEvent=0xbffff188, aDOMEvent=0x0, aFlags=1, aEventStatus=@0xbffff084)
at ../../../../../layout/html/content/src/nsHTMLTableCellElement.cpp:558
#16 0x40d8b2f8 in PresShell::HandleEvent (this=0x86fe3a8, aView=0x87f8358,
aEvent=0xbffff188,
aEventStatus=@0xbffff084) at
../../../../../layout/html/base/src/nsPresShell.cpp:2239
#17 0x411cb7d7 in nsView::HandleEvent (this=0x87f8358, event=0xbffff188,
aEventFlags=8,
aStatus=@0xbffff084, aHandled=@0xbffff028) at
../../../view/src/nsView.cpp:837
#18 0x411cb769 in nsView::HandleEvent (this=0x887c560, event=0xbffff188,
aEventFlags=8,
aStatus=@0xbffff084, aHandled=@0xbffff028) at
../../../view/src/nsView.cpp:821
#19 0x411cb769 in nsView::HandleEvent (this=0x887c4a8, event=0xbffff188,
aEventFlags=8,
aStatus=@0xbffff084, aHandled=@0xbffff028) at
../../../view/src/nsView.cpp:821
#20 0x411cb769 in nsView::HandleEvent (this=0x85d18c0, event=0xbffff188,
aEventFlags=28,
aStatus=@0xbffff084, aHandled=@0xbffff028) at
../../../view/src/nsView.cpp:821
#21 0x411d72e3 in nsViewManager::DispatchEvent (this=0x87de4a8,
aEvent=0xbffff188,
aStatus=@0xbffff084) at ../../../view/src/nsViewManager.cpp:1741
#22 0x411c98f8 in HandleEvent (aEvent=0xbffff188) at
../../../view/src/nsView.cpp:66
#23 0x404b35f0 in nsWidget::DispatchEvent (this=0x8587658, aEvent=0xbffff188,
aStatus=@0xbffff11c)
at ../../../../widget/src/gtk/nsWidget.cpp:1279
#24 0x404b3388 in nsWidget::DispatchWindowEvent (this=0x8587658,
event=0xbffff188)
at ../../../../widget/src/gtk/nsWidget.cpp:1190
#25 0x404b36a4 in nsWidget::DispatchMouseEvent (this=0x8587658,
aEvent=@0xbffff188)
at ../../../../widget/src/gtk/nsWidget.cpp:1306
#26 0x404b4684 in nsWidget::OnButtonPressSignal (this=0x8587658,
aGdkButtonEvent=0x8215b28)
at ../../../../widget/src/gtk/nsWidget.cpp:1868
#27 0x404b53b2 in nsWidget::ButtonPressSignal (aWidget=0x85f6750,
aGdkButtonEvent=0x8215b28,
aData=0x8587658) at ../../../../widget/src/gtk/nsWidget.cpp:2334
#28 0x405c8a99 in gtk_marshal_BOOL__POINTER (object=0x85f6750,
func=0x404b52d4 <nsWidget::ButtonPressSignal(_GtkWidget *, _GdkEventButton
*, void *)>,
func_data=0x8587658, args=0xbffff2a0) at gtkmarshal.c:30
#29 0x4058dc52 in gtk_handlers_run (handlers=0x8534458, signal=0xbffff25c,
object=0x85f6750,
params=0xbffff2a0, after=0) at gtksignal.c:1909
#30 0x4058d158 in gtk_signal_real_emit (object=0x85f6750, signal_id=20,
params=0xbffff2a0)
at gtksignal.c:1469
#31 0x4058b468 in gtk_signal_emit (object=0x85f6750, signal_id=20) at
gtksignal.c:552
#32 0x405c0110 in gtk_widget_event (widget=0x85f6750, event=0x8215b28) at
gtkwidget.c:2790
#33 0x4056013d in gtk_propagate_event (widget=0x85f6750, event=0x8215b28) at
gtkmain.c:1296
#34 0x4055f472 in gtk_main_do_event (event=0x8215b28) at gtkmain.c:753
#35 0x40604ed6 in gdk_event_dispatch (source_data=0x0, current_time=0xbffff620,
user_data=0x0)
at gdkevents.c:2098
#36 0x4062dc8f in g_main_dispatch (current_time=0xbffff620) at gmain.c:652
#37 0x4062e277 in g_main_iterate (block=1, dispatch=1) at gmain.c:870
#38 0x4062e3f9 in g_main_run (loop=0x81c42b8) at gmain.c:928
#39 0x4055eedf in gtk_main () at gtkmain.c:475
#40 0x4049d80f in nsAppShell::Run (this=0x80a1f48) at
../../../../widget/src/gtk/nsAppShell.cpp:399
#41 0x4032a031 in nsAppShellService::Run (this=0x809fda0)
at ../../../../xpfe/appshell/src/nsAppShellService.cpp:483
#42 0x804c85c in main1 (argc=1, argv=0xbffff834) at
../../../xpfe/bootstrap/nsAppRunner.cpp:580
#43 0x804cae9 in main (argc=1, argv=0xbffff834) at
../../../xpfe/bootstrap/nsAppRunner.cpp:670
Assignee: leger → pierre
Component: Browser-General → Style System
Summary: crash on infoworld
Using Linux apprunner 1999-11-08-08-M11, I crashed on http://www.infoworld.com/
two out of two tries with the following sequence of events (and then my X server
crashed right before I got to commenting on this bug):
TO REPRODUCE:
1 Load http://www.infoworld.com/
2 hit Stop before page is fully loaded
3 scroll down a bit
4 click on a link. You may have to click a few times before it does anything.
RESULTS:
* after 3) scrolling down causes all the colors to disappear, and the page shows
with its default styles
* after 4) crash
I didn't get a stack trace, but, based on the previous one here, changing to
style system.
|
||
Comment 3•26 years ago
|
||
Same crash on Mac. Apparently the frame passed to ApplyRenderingChangeToTree() is
invalid: it has been disposed somewhere else but it continues to be used by
nsStyleChangeList.
|
|
||
Comment 4•26 years ago
|
||
Bug 18167 will be closed as dup of this one. It describes a very easily
reproduceable test case: go to http://www.maths.newcastle.edu.au and select some
text.
|
|
||
Updated•26 years ago
|
Severity: normal → critical
OS: Linux → All
Priority: P3 → P1
Hardware: PC → All
Target Milestone: M12
|
|
||
Comment 6•26 years ago
|
||
It looks like this bug is in fact as easy to reproduce as 18167: a single click
on infoworld causes a crash.
|
|
||
Comment 8•26 years ago
|
||
On the http://www.maths.newcastle.edu.au page, it seems that an unclosed <a
name="Top"> tag is responsible for the crash. Removing this tag from the page
prevents the crash.
|
|
||
Updated•26 years ago
|
Status: NEW → ASSIGNED
|
|
||
Comment 9•26 years ago
|
||
The crash has been fixed in nsFrameManager.cpp but since the debug builds show
errors during the style context verifications in nsFrameManager:
VerifyContextParent(), I'm not marking the bug fixed yet.
|
|
||
Comment 10•26 years ago
|
||
I had to back out my change that was causing bug 20042. The status of this bug is
now:
- It no longer crashes on InfoWorld because they changed their presentation. It
no longer shows the debug output from VerifyContextParent() either.
- It still crashes on http://www.maths.newcastle.edu.au and as Michael pointed
out, it is related to the unclosed <a name="Top"> tag.
- A copy of the former InforWorld page will be attached to this bug report if
needed.
|
|
||
Comment 11•26 years ago
|
||
|
|
||
Updated•26 years ago
|
Assignee: pierre → troy
Status: ASSIGNED → NEW
Summary: crash on infoworld → Warning "aFrame is already associated with a region" (was crash on infoworld)
Target Milestone: M13
|
|
||
Comment 12•26 years ago
|
||
The old InfoWorld page doesn't crash anymore. We just have the following debug
messages:
--
WARNING: aFrame is already associated with a region, file nsSpaceManager.cpp,
line 718
###!!! ASSERTION: bad floater placement: 'NS_SUCCEEDED(rv)', file
nsBlockFrame.cpp, line 5444
--
Reset the target milestone.
Updated the summary.
Reassigned to Troy to have a look.
|
|
||
Comment 13•26 years ago
|
||
Block issue
|
|
Assignee | |
Comment 14•26 years ago
|
||
changing severity to "normal" and priority to "P3" since it no longer crashes.
It's not even clear if there is a bug here at all. The page layout looks
correct. I'll have to look into the space manager to see what the debug output
means.
|
|
Assignee | |
Comment 17•25 years ago
|
||
removed crash keyword, the crash was fixed long ago. I have a fix in hand for
the assert.
|
|
Assignee | |
Comment 18•25 years ago
|
||
fix checked in. should be able to verify against 4/17/00 build.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Whiteboard: fix in hand
|
|
||
Comment 20•25 years ago
|
||
Tested using the following builds:
Win: 7_18_11
Mac: 7_19_12
Linux: 7_20_09
No crashes. Verifying bug fixed.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•